<!DOCTYPE html>
<html lang="en-us">
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
    
<meta charset="UTF-8">
<title>Transform examples | Elasticsearch Guide [7.7] | Elastic</title>
<link rel="home" href="index.html" title="Elasticsearch Guide [7.7]">
<link rel="up" href="transforms.html" title="Transforming data">
<link rel="prev" href="ecommerce-transforms.html" title="Tutorial: Transforming the eCommerce sample data">
<link rel="next" href="transform-painless-examples.html" title="Painless examples for transforms">
<meta name="DC.type" content="Learn/Docs/Elasticsearch/Reference/7.7">
<meta name="DC.subject" content="Elasticsearch">
<meta name="DC.identifier" content="7.7">
<meta name="robots" content="noindex,nofollow">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <script src="https://cdn.optimizely.com/js/18132920325.js"></script>
    <link rel="apple-touch-icon" sizes="57x57" href="/apple-icon-57x57.png">
    <link rel="apple-touch-icon" sizes="60x60" href="/apple-icon-60x60.png">
    <link rel="apple-touch-icon" sizes="72x72" href="/apple-icon-72x72.png">
    <link rel="apple-touch-icon" sizes="76x76" href="/apple-icon-76x76.png">
    <link rel="apple-touch-icon" sizes="114x114" href="/apple-icon-114x114.png">
    <link rel="apple-touch-icon" sizes="120x120" href="/apple-icon-120x120.png">
    <link rel="apple-touch-icon" sizes="144x144" href="/apple-icon-144x144.png">
    <link rel="apple-touch-icon" sizes="152x152" href="/apple-icon-152x152.png">
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png">
    <link rel="icon" type="image/png" href="/favicon-32x32.png" sizes="32x32">
    <link rel="icon" type="image/png" href="/android-chrome-192x192.png" sizes="192x192">
    <link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96">
    <link rel="icon" type="image/png" href="/favicon-16x16.png" sizes="16x16">
    <link rel="manifest" href="/manifest.json">
    <meta name="apple-mobile-web-app-title" content="Elastic">
    <meta name="application-name" content="Elastic">
    <meta name="msapplication-TileColor" content="#ffffff">
    <meta name="msapplication-TileImage" content="/mstile-144x144.png">
    <meta name="theme-color" content="#ffffff">
    <meta name="naver-site-verification" content="936882c1853b701b3cef3721758d80535413dbfd">
    <meta name="yandex-verification" content="d8a47e95d0972434">
    <meta name="localized" content="true">
    <meta name="st:robots" content="follow,index">
    <meta property="og:image" content="https://www.elastic.co/static/images/elastic-logo-200.png">
    <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
    <link rel="icon" href="/favicon.ico" type="image/x-icon">
    <link rel="apple-touch-icon-precomposed" sizes="64x64" href="/favicon_64x64_16bit.png">
    <link rel="apple-touch-icon-precomposed" sizes="32x32" href="/favicon_32x32.png">
    <link rel="apple-touch-icon-precomposed" sizes="16x16" href="/favicon_16x16.png">
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
    <link rel="stylesheet" type="text/css" href="/guide/static/styles.css">
  </head>

  <!--© 2015-2021 Elasticsearch B.V. Copying, publishing and/or distributing without written permission is strictly prohibited.-->

  <body>
    <!-- Google Tag Manager -->
    <script>dataLayer = [];</script><noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-58RLH5" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
    <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-58RLH5');</script>
    <!-- End Google Tag Manager -->

    <!-- Global site tag (gtag.js) - Google Analytics -->
    <script async src="https://www.googletagmanager.com/gtag/js?id=UA-12395217-16"></script>
    <script>
      window.dataLayer = window.dataLayer || [];
      function gtag(){dataLayer.push(arguments);}
      gtag('js', new Date());
      gtag('config', 'UA-12395217-16');
    </script>

    <!--BEGIN QUALTRICS WEBSITE FEEDBACK SNIPPET-->
    <script type="text/javascript">
      (function(){var g=function(e,h,f,g){
      this.get=function(a){for(var a=a+"=",c=document.cookie.split(";"),b=0,e=c.length;b<e;b++){for(var d=c[b];" "==d.charAt(0);)d=d.substring(1,d.length);if(0==d.indexOf(a))return d.substring(a.length,d.length)}return null};
      this.set=function(a,c){var b="",b=new Date;b.setTime(b.getTime()+6048E5);b="; expires="+b.toGMTString();document.cookie=a+"="+c+b+"; path=/; "};
      this.check=function(){var a=this.get(f);if(a)a=a.split(":");else if(100!=e)"v"==h&&(e=Math.random()>=e/100?0:100),a=[h,e,0],this.set(f,a.join(":"));else return!0;var c=a[1];if(100==c)return!0;switch(a[0]){case "v":return!1;case "r":return c=a[2]%Math.floor(100/c),a[2]++,this.set(f,a.join(":")),!c}return!0};
      this.go=function(){if(this.check()){var a=document.createElement("script");a.type="text/javascript";a.src=g;document.body&&document.body.appendChild(a)}};
      this.start=function(){var a=this;window.addEventListener?window.addEventListener("load",function(){a.go()},!1):window.attachEvent&&window.attachEvent("onload",function(){a.go()})}};
      try{(new g(100,"r","QSI_S_ZN_emkP0oSe9Qrn7kF","https://znemkp0ose9qrn7kf-elastic.siteintercept.qualtrics.com/WRSiteInterceptEngine/?Q_ZID=ZN_emkP0oSe9Qrn7kF")).start()}catch(i){}})();
    </script><div id="ZN_emkP0oSe9Qrn7kF"><!--DO NOT REMOVE-CONTENTS PLACED HERE--></div>
    <!--END WEBSITE FEEDBACK SNIPPET-->

    <div id="elastic-nav" style="display:none;"></div>
    <script src="https://www.elastic.co/elastic-nav.js"></script>

    <!-- Subnav -->
    <div>
      <div>
        <div class="tertiary-nav d-none d-md-block">
          <div class="container">
            <div class="p-t-b-15 d-flex justify-content-between nav-container">
              <div class="breadcrum-wrapper"><span><a href="/guide/" style="font-size: 14px; font-weight: 600; color: #000;">Docs</a></span></div>
            </div>
          </div>
        </div>
      </div>
    </div>

    <div class="main-container">
      <section id="content">
        <div class="content-wrapper">

          <section id="guide" lang="en">
            <div class="container">
              <div class="row">
                <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                  <!-- start body -->
                  <div class="page_header">
<strong>IMPORTANT</strong>: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
<a href="../current/index.html">current release documentation</a>.
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="data-rollup-transform.html">Roll up or transform your data</a></span>
»
<span class="breadcrumb-link"><a href="transforms.html">Transforming data</a></span>
»
<span class="breadcrumb-node">Transform examples</span>
</div>
<div class="navheader">
<span class="prev">
<a href="ecommerce-transforms.html">« Tutorial: Transforming the eCommerce sample data</a>
</span>
<span class="next">
<a href="transform-painless-examples.html">Painless examples for transforms »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="transform-examples"></a>Transform examples<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/transform/examples.asciidoc">edit</a><a class="xpack_tag" href="/subscriptions"></a>
</h2>
</div></div></div>

<p>These examples demonstrate how to use transforms to derive useful
insights from your data. All the examples use one of the
<a href="/guide/en/kibana/7.7/add-sample-data.html" class="ulink" target="_top">Kibana sample datasets</a>. For a more detailed,
step-by-step example, see
<a class="xref" href="ecommerce-transforms.html" title="Tutorial: Transforming the eCommerce sample data">Tutorial: Transforming the eCommerce sample data</a>.</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<a class="xref" href="transform-examples.html#example-best-customers" title="Finding your best customers">Finding your best customers</a>
</li>
<li class="listitem">
<a class="xref" href="transform-examples.html#example-airline" title="Finding air carriers with the most delays">Finding air carriers with the most delays</a>
</li>
<li class="listitem">
<a class="xref" href="transform-examples.html#example-clientips" title="Finding suspicious client IPs">Finding suspicious client IPs</a>
</li>
</ul>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="example-best-customers"></a>Finding your best customers<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/transform/examples.asciidoc">edit</a>
</h3>
</div></div></div>
<p>In this example, we use the eCommerce orders sample dataset to find the
customers who spent the most in our hypothetical webshop. Let’s transform the
data such that the destination index contains the number of orders, the total
price of the orders, the amount of unique products and the average price per
order, and the total amount of ordered products for each customer.</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST _transform/_preview
{
  "source": {
    "index": "kibana_sample_data_ecommerce"
  },
  "dest" : { <a id="CO445-1"></a><i class="conum" data-value="1"></i>
    "index" : "sample_ecommerce_orders_by_customer"
  },
  "pivot": {
    "group_by": { <a id="CO445-2"></a><i class="conum" data-value="2"></i>
      "user": { "terms": { "field": "user" }},
      "customer_id": { "terms": { "field": "customer_id" }}
    },
    "aggregations": {
      "order_count": { "value_count": { "field": "order_id" }},
      "total_order_amt": { "sum": { "field": "taxful_total_price" }},
      "avg_amt_per_order": { "avg": { "field": "taxful_total_price" }},
      "avg_unique_products_per_order": { "avg": { "field": "total_unique_products" }},
      "total_unique_products": { "cardinality": { "field": "products.product_id" }}
    }
  }
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1157.console"></div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO445-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>This is the destination index for the transform. It is ignored by
<code class="literal">_preview</code>.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO445-2"><i class="conum" data-value="2"></i></a></p>
</td>
<td align="left" valign="top">
<p>Two <code class="literal">group_by</code> fields have been selected. This means the transform will
contain a unique row per <code class="literal">user</code> and <code class="literal">customer_id</code> combination. Within this
dataset both these fields are unique. By including both in the transform it
gives more context to the final results.</p>
</td>
</tr>
</table>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>In the example above, condensed JSON formatting has been used for easier
readability of the pivot object.</p>
</div>
</div>
<p>The preview transforms API enables you to see the layout of the
transform in advance, populated with some sample values. For example:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "preview" : [
    {
      "total_order_amt" : 3946.9765625,
      "order_count" : 59.0,
      "total_unique_products" : 116.0,
      "avg_unique_products_per_order" : 2.0,
      "customer_id" : "10",
      "user" : "recip",
      "avg_amt_per_order" : 66.89790783898304
    },
    ...
    ]
  }</pre>
</div>
<p>This transform makes it easier to answer questions such as:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Which customers spend the most?
</li>
<li class="listitem">
Which customers spend the most per order?
</li>
<li class="listitem">
Which customers order most often?
</li>
<li class="listitem">
Which customers ordered the least number of different products?
</li>
</ul>
</div>
<p>It’s possible to answer these questions using aggregations alone, however
transforms allow us to persist this data as a customer centric index. This
enables us to analyze data at scale and gives more flexibility to explore and
navigate data from a customer centric perspective. In some cases, it can even
make creating visualizations much simpler.</p>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="example-airline"></a>Finding air carriers with the most delays<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/transform/examples.asciidoc">edit</a>
</h3>
</div></div></div>
<p>In this example, we use the Flights sample dataset to find out which air carrier
had the most delays. First, we filter the source data such that it excludes all
the cancelled flights by using a query filter. Then we transform the data to
contain the distinct number of flights, the sum of delayed minutes, and the sum
of the flight minutes by air carrier. Finally, we use a
<a href="/guide/en/elasticsearch/reference/7.7/search-aggregations-pipeline-bucket-script-aggregation.html" class="ulink" target="_top"><code class="literal">bucket_script</code></a>
to determine what percentage of the flight time was actually delay.</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST _transform/_preview
{
  "source": {
    "index": "kibana_sample_data_flights",
    "query": { <a id="CO446-1"></a><i class="conum" data-value="1"></i>
      "bool": {
        "filter": [
          { "term":  { "Cancelled": false } }
        ]
      }
    }
  },
  "dest" : { <a id="CO446-2"></a><i class="conum" data-value="2"></i>
    "index" : "sample_flight_delays_by_carrier"
  },
  "pivot": {
    "group_by": { <a id="CO446-3"></a><i class="conum" data-value="3"></i>
      "carrier": { "terms": { "field": "Carrier" }}
    },
    "aggregations": {
      "flights_count": { "value_count": { "field": "FlightNum" }},
      "delay_mins_total": { "sum": { "field": "FlightDelayMin" }},
      "flight_mins_total": { "sum": { "field": "FlightTimeMin" }},
      "delay_time_percentage": { <a id="CO446-4"></a><i class="conum" data-value="4"></i>
        "bucket_script": {
          "buckets_path": {
            "delay_time": "delay_mins_total.value",
            "flight_time": "flight_mins_total.value"
          },
          "script": "(params.delay_time / params.flight_time) * 100"
        }
      }
    }
  }
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1158.console"></div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO446-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>Filter the source data to select only flights that were not cancelled.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO446-2"><i class="conum" data-value="2"></i></a></p>
</td>
<td align="left" valign="top">
<p>This is the destination index for the transform. It is ignored by
<code class="literal">_preview</code>.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO446-3"><i class="conum" data-value="3"></i></a></p>
</td>
<td align="left" valign="top">
<p>The data is grouped by the <code class="literal">Carrier</code> field which contains the airline name.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO446-4"><i class="conum" data-value="4"></i></a></p>
</td>
<td align="left" valign="top">
<p>This <code class="literal">bucket_script</code> performs calculations on the results that are returned
by the aggregation. In this particular example, it calculates what percentage of
travel time was taken up by delays.</p>
</td>
</tr>
</table>
</div>
<p>The preview shows you that the new index would contain data like this for each
carrier:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "preview" : [
    {
      "carrier" : "ES-Air",
      "flights_count" : 2802.0,
      "flight_mins_total" : 1436927.5130677223,
      "delay_time_percentage" : 9.335543983955839,
      "delay_mins_total" : 134145.0
    },
    ...
  ]
}</pre>
</div>
<p>This transform makes it easier to answer questions such as:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Which air carrier has the most delays as a percentage of flight time?
</li>
</ul>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>This data is fictional and does not reflect actual delays
or flight stats for any of the featured destination or origin airports.</p>
</div>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="example-clientips"></a>Finding suspicious client IPs<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/transform/examples.asciidoc">edit</a>
</h3>
</div></div></div>
<p>In this example, we use the web log sample dataset to identify suspicious client
IPs. We transform the data such that the new index contains the sum of bytes and
the number of distinct URLs, agents, incoming requests by location, and
geographic destinations for each client IP. We also use filter aggregations to
count the specific types of HTTP responses that each client IP receives.
Ultimately, the example below transforms web log data into an entity centric
index where the entity is <code class="literal">clientip</code>.</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">PUT _transform/suspicious_client_ips
{
  "source": {
    "index": "kibana_sample_data_logs"
  },
  "dest" : { <a id="CO447-1"></a><i class="conum" data-value="1"></i>
    "index" : "sample_weblogs_by_clientip"
  },
  "sync" : { <a id="CO447-2"></a><i class="conum" data-value="2"></i>
    "time": {
      "field": "timestamp",
      "delay": "60s"
    }
  },
  "pivot": {
    "group_by": {  <a id="CO447-3"></a><i class="conum" data-value="3"></i>
      "clientip": { "terms": { "field": "clientip" } }
      },
    "aggregations": {
      "url_dc": { "cardinality": { "field": "url.keyword" }},
      "bytes_sum": { "sum": { "field": "bytes" }},
      "geo.src_dc": { "cardinality": { "field": "geo.src" }},
      "agent_dc": { "cardinality": { "field": "agent.keyword" }},
      "geo.dest_dc": { "cardinality": { "field": "geo.dest" }},
      "responses.total": { "value_count": { "field": "timestamp" }},
      "success" : { <a id="CO447-4"></a><i class="conum" data-value="4"></i>
         "filter": {
            "term": { "response" : "200"}}
        },
      "error404" : {
         "filter": {
            "term": { "response" : "404"}}
        },
      "error503" : {
         "filter": {
            "term": { "response" : "503"}}
        },
      "timestamp.min": { "min": { "field": "timestamp" }},
      "timestamp.max": { "max": { "field": "timestamp" }},
      "timestamp.duration_ms": { <a id="CO447-5"></a><i class="conum" data-value="5"></i>
        "bucket_script": {
          "buckets_path": {
            "min_time": "timestamp.min.value",
            "max_time": "timestamp.max.value"
          },
          "script": "(params.max_time - params.min_time)"
        }
      }
    }
  }
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1159.console"></div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO447-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>This is the destination index for the transform.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO447-2"><i class="conum" data-value="2"></i></a></p>
</td>
<td align="left" valign="top">
<p>Configures the transform to run continuously. It uses the <code class="literal">timestamp</code> field
to synchronize the source and destination indices. The worst case
ingestion delay is 60 seconds.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO447-3"><i class="conum" data-value="3"></i></a></p>
</td>
<td align="left" valign="top">
<p>The data is grouped by the <code class="literal">clientip</code> field.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO447-4"><i class="conum" data-value="4"></i></a></p>
</td>
<td align="left" valign="top">
<p>Filter aggregation that counts the occurrences of successful (<code class="literal">200</code>)
responses in the <code class="literal">response</code> field. The following two aggregations (<code class="literal">error404</code>
and <code class="literal">error503</code>) count the error responses by error codes.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO447-5"><i class="conum" data-value="5"></i></a></p>
</td>
<td align="left" valign="top">
<p>This <code class="literal">bucket_script</code> calculates the duration of the <code class="literal">clientip</code> access based
on the results of the aggregation.</p>
</td>
</tr>
</table>
</div>
<p>After you create the transform, you must start it:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST _transform/suspicious_client_ips/_start</pre>
</div>
<div class="console_widget" data-snippet="snippets/1160.console"></div>
<p>Shortly thereafter, the first results should be available in the destination
index:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">GET sample_weblogs_by_clientip/_search</pre>
</div>
<div class="console_widget" data-snippet="snippets/1161.console"></div>
<p>The search result shows you data like this for each client IP:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">    "hits" : [
      {
        "_index" : "sample_weblogs_by_clientip",
        "_id" : "MOeHH_cUL5urmartKj-b5UQAAAAAAAAA",
        "_score" : 1.0,
        "_source" : {
          "geo" : {
            "src_dc" : 2.0,
            "dest_dc" : 2.0
          },
          "success" : 2,
          "error404" : 0,
          "error503" : 0,
          "clientip" : "0.72.176.46",
          "agent_dc" : 2.0,
          "bytes_sum" : 4422.0,
          "responses" : {
            "total" : 2.0
          },
          "url_dc" : 2.0,
          "timestamp" : {
            "duration_ms" : 5.2191698E8,
            "min" : "2020-03-16T07:51:57.333Z",
            "max" : "2020-03-22T08:50:34.313Z"
          }
        }
      }
    ]</pre>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>Like other Kibana sample data sets, the web log sample dataset contains
timestamps relative to when you installed it, including timestamps in the
future. The continuous transform will pick up the data points once they are in the past.
If you installed the web log sample dataset some time ago, you can uninstall and
reinstall it and the timestamps will change.</p>
</div>
</div>
<p>This transform makes it easier to answer questions such as:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Which client IPs are transferring the most amounts of data?
</li>
<li class="listitem">
Which client IPs are interacting with a high number of different URLs?
</li>
<li class="listitem">
Which client IPs have high error rates?
</li>
<li class="listitem">
Which client IPs are interacting with a high number of destination countries?
</li>
</ul>
</div>
</div>

</div>
<div class="navfooter">
<span class="prev">
<a href="ecommerce-transforms.html">« Tutorial: Transforming the eCommerce sample data</a>
</span>
<span class="next">
<a href="transform-painless-examples.html">Painless examples for transforms »</a>
</span>
</div>
</div>

                  <!-- end body -->
                </div>
                <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                  <div id="rtpcontainer" style="display: block;">
                    <div class="mktg-promo">
                      <h3>Most Popular</h3>
                      <ul class="icons">
                        <li class="icon-elasticsearch-white"><a href="https://www.elastic.co/webinars/getting-started-elasticsearch?baymax=default&amp;elektra=docs&amp;storm=top-video">Get Started with Elasticsearch: Video</a></li>
                        <li class="icon-kibana-white"><a href="https://www.elastic.co/webinars/getting-started-kibana?baymax=default&amp;elektra=docs&amp;storm=top-video">Intro to Kibana: Video</a></li>
                        <li class="icon-logstash-white"><a href="https://www.elastic.co/webinars/introduction-elk-stack?baymax=default&amp;elektra=docs&amp;storm=top-video">ELK for Logs &amp; Metrics: Video</a></li>
                      </ul>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </section>

        </div>


<div id="elastic-footer"></div>
<script src="https://www.elastic.co/elastic-footer.js"></script>
<!-- Footer Section end-->

      </section>
    </div>

<script src="/guide/static/jquery.js"></script>
<script type="text/javascript" src="/guide/static/docs.js"></script>
<script type="text/javascript">
  window.initial_state = {}</script>
  </body>
</html>
